Unwelcome Guests

Hackers are out there, and they're targeting hotels. Will your hotel be next? Would you know if your hotel was hacked?

While data breaches at several large retailers like Target and Neiman Marcus are dominating headlines, the hotel industry is finding its share of scrutiny too. The recent revelation White Lodging’s systems were hacked at several of its managed hotels underscores the disturbing fact lodging properties are equally vulnerable, maybe even more so than the retail industry.

Trustwave, a global information security company focused on data breaches, found hotels are topped only by retail and food and beverage establishments for security infiltrations. When you consider many hotels also feature retail outlets in the form of gift shops as well as restaurants, hotels make a particularly attractive target for hackers since all those services are integrated into one server, notes Chris Pogue, a director at Trustwave. “It’s a one-stop shop for attackers,” he says. “If they can hit that integration server, they are able to extract from all three environments without having to individually breach each one of those.” (It’s worth noting that the breaches at the White Lodging properties occurred at F&B outlets, according to a company statement.)

Further, hotels depend almost exclusively on credit cards for payments, adds Robert Braun, senior member of the global hospitality group of the law firm of Jeffer Mangels Butler & Mitchell, LLP in Los Angeles.

Many hotels are even more vulnerable because in many instances they share or have similar IT programs. “Many hotels share the same systems, so once you find your way into one system, it’s relatively easy to find your way into the others,” Braun says.
Let’s not forget free WiFi, which has quickly become a staple within the lodging industry. Therefore, there are many points of entry into a hotel’s data system that hackers can infiltrate, Braun states.

Preventing a breach

The first step in preventing a data breach is partnering with a third-party vendor specializing in data security and integrity. While a hotel’s IT staff may be helpful in handling general technology issues such as setting up the WiFi and ensuring all systems work from a guest experience perspective, those employees most likely don’t have the intricate expertise needed to protect a hotel’s private customer data.

Moreover, any data security system implemented must be continually tested by experts trained in understanding how a hacker thinks, Pogue stresses.

Another important component for creating a secure data structure is achieving buy-in from the top of the organization on down, Braun says. “If security and privacy is relegated to the CIO or to a compliance officer or someone like that, then it won’t be taken that seriously. There has to be a real commitment,” he says. “We advise directors and officers on this and what I tell them today is, do you really want to be in front of Congress explaining yourself, like these guys at Target and others have done? You don’t want that.”

Yet, according to the experts, there are relatively simple tactics hotels can employ to ward off any data breaches. Phillip Smith, Trustwave’s senior vice president of government solutions, recently spoke to a congressional hearing on the spate of data breaches at retailers like Target.

Sometimes it’s just a matter of following good security measures on a daily basis, not to mention devising passwords that can confound a would-be hacker. “A lot of these breaches occur because systems are unpatched and user names and passwords are very weak, often the default password,” he says.

Or placing those passwords in plain sight. Case in point: Braun recalls the time he went to a hotel and asked to use a copier behind the front desk. When he did so, he noticed a username and password taped to a computer. Moreover, since hotels tend to have a large turnover of staff, he also suggests restricting the number of people who have access to sensitive data.

After a breach

According to Smith, only about a quarter of data breaches are discovered by the targeted organizations themselves. That means it’s more likely that an outside party — the credit card company or even a law enforcement agency — comes knocking on the door informing the hotel company that it has suffered a breach.

Even more troubling is there is an average lag time of 210 days before a breach is detected, meaning hackers could be mining data for seven months, Pogue says.

Consequently, when a breach occurs, having an immediate incident response plan in place that includes containment strategies and which regulatory bodies to contact is vital.
While that may seem straightforward, Smith points out that 47 states have implemented statutory requirements for reporting data breaches. Even if the breach affected one person in one state, that state’s law must be obeyed. “It’s a very complex effort for them to go through, but it’s one they are obligated to do by law,” he says.

Given the potential liability a breach may pose, getting legal guidance is warranted, Braun emphasizes. After that, it could mean hiring technical experts to fix the breach, the cost of notifying cardholders and legal fees, in addition to other unexpected expenses.

All that takes money — an average of $5.5 million per breach, according to Braun — which a hotel may not have in the budget. Hotels can purchase cyber security insurance, which pays the costs associated with a breach. However, Braun urges that hotel companies read the fine print so they know exactly what the policy covers or doesn’t cover. For instance, a policy may not provide coverage for expenses that are not specifically mandated by law.